Environment variables
Environment variables are how the agent runtime, MCP sidecars, and hooks receive configuration. Two kinds are supported:
- Plain values — string literals stored on the resource.
- Secret references — values resolved at workload start from a secret.
The orchestrator injects ENVs into the container at workload assembly time. The container sees standard KEY=VALUE pairs in its environment. Secrets are never written to disk and never reach the cluster's API server outside the workload's pod.
Where ENVs are configured
ENVs belong to an agent, MCP server, or hook — not to the organization. Set them per resource so each container gets only what it needs.
| Resource | Console path |
|---|---|
| Agent | Agents → <agent> → ENVs tab |
| MCP server | Agents → <agent> → MCPs → <mcp> → ENVs tab |
| Hook | Agents → <agent> → Hooks → <hook> → ENVs tab |
Add a plain ENV
In the Console
- Open the resource's ENVs tab.
- Click Add variable.
- Type the Name and Value.
- Save.
Plain ENVs are stored in cleartext in the platform database. Do not use them for credentials.
With Terraform
resource "agyn_agent_env" "log_level" {
agent_id = agyn_agent.support.id
name = "LOG_LEVEL"
value = "info"
}
Add a secret-backed ENV
In the Console
- ENVs tab → Add variable.
- Toggle the value type to Secret reference.
- Pick a secret from the dropdown (lists secrets in the current organization).
- Set the Name the container will see (e.g.
STRIPE_API_KEY). - Save.
The Console shows secret-backed ENVs with a key icon. The resolved value is never displayed — only the secret name and reference.
With Terraform
resource "agyn_agent_env" "stripe_key" {
agent_id = agyn_agent.support.id
name = "STRIPE_API_KEY"
secret_id = agyn_secret.stripe_api_key.id
}
Resolution timing
Secret values are resolved when the workload is created — not when the configuration is updated. If you rotate a secret in your secret provider, the next workload start picks up the new value. Workloads already running continue with the value they were started with until they restart.
For a rotation that needs to take effect immediately, stop the workload (Activity → Workloads → stop) so the orchestrator restarts it on the next message.
Limits
- ENVs are limited to ~32 KB total per container — Kubernetes' practical limit.
- ENV names follow standard shell rules: uppercase letters, digits, underscores; cannot start with a digit.
Audit and inspection
ENVs are visible in Console → agent detail. Secret-backed ENVs show only the secret reference. The Tracing app does not display ENV values — it shows the agent's process environment only via redacted markers.